Welcome to ISAserver.org

RE: Discussion about article on Network within Network config

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> RE: Discussion about article on Network within Network config

Page: << < prev 1 2 3 [4] 5 next > >>

Message

<< Older Topic Newer Topic >>

RE: Discussion about article on Network within Network ... - 10.Sep.2004 5:31:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Hi Jeff,

Basically, to use ISA Server as a firewall, you need two interfaces on two different network IDs. Because you can really only have one "default" gateway, this should be set on the external interface (e.g. the interface that sits on the untrusted network).

If you have more than one internal (trusted) network ID, then you will need to configure static routes to those networks on your internal (trusted) interface.

For example, on my network, my ISA Server's internal interface sits on the 129.168.15.0/24 network. I also have internal networks 192.168.14.0/24 through 192.168.20.0/24. So I added static routes to those network IDs:

code:

route -p add 192.168.14.0 mask 255.255.255.0 192.168.15.1

... and so on (where 192.168.15.1 is the interface for the router that can reach the other networks).

Once you have configured your routing table so that the internal interface of the ISA Server "sees" all of the trusted network IDs, you configure the address range of the Internal Network element such that they match, and this should eliminate the errors.

HTH,

Bill

(in reply to tshinder)

Post #: 61

Featured Links*

RE: Discussion about article on Network within Network ... - 10.Sep.2004 9:04:00 PM

Fire

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline

quote:
Originally posted by ClintD:
Fire - are you saying that you have all of the private subnets included in the properties of the "Internal" network and then divided the subnets into "Subnet" objects?

are you saying that you have all of the private subnets included in the properties of the "Internal" network

YES

then divided the subnets into "Subnet" objects

NO

(in reply to tshinder)

Post #: 62

RE: Discussion about article on Network within Network ... - 14.Sep.2004 2:00:00 PM

jeff.field

Posts: 12
Joined: 21.Jul.2004
From: New Jersey
Status: offline

Thank you! Not only did removing the second default gateway and setting up proper routes eliminate this particular error, but it eliminated my proxy cache loop it would seem, as I was getting hundreds of that error a day and as soon as I made these changes it stopped completely.

Thank you!

-Jeff

(in reply to tshinder)

Post #: 63

RE: Discussion about article on Network within Network ... - 14.Sep.2004 4:05:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Hi Jeff,

Glad to have helped, and thanks for the follow-up!

Bill

(in reply to tshinder)

Post #: 64

RE: Discussion about article on Network within Network ... - 16.Sep.2004 10:12:00 PM

arctica

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline

Hi guys,

I had a terrible day installing, re-installing, installing ISA2004 and not understanding why I get the [INSERT FOUL LANGUAGE HERE] error messages mentioned in this thread.
Thanks for giving me the solution that I should not define my static routes in RRAS, but rather do them with "add route -p.....".

One question to you experts:
I have over 100 entries in RRAS, if I export them to a .txt file is there a ADSI script to enter them all in an easy way?
I thought I might at least ask, before I sit all night doing this [Wink]

Regards

/Ronny

(in reply to tshinder)

Post #: 65

RE: Discussion about article on Network within Network ... - 16.Sep.2004 10:31:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Hi Ronny,

You could simply output the routes to a text file, and use the for /f command in a batch file to add routes for them. What does your text file look like?

Bill

(in reply to tshinder)

Post #: 66

RE: Discussion about article on Network within Network ... - 16.Sep.2004 11:19:00 PM

arctica

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline

Hi Bill,
I actually did just that. I used good ol' Notepad and search-and-replace and made a batch file out of it. That worked just fine. I have just rebooted the ISA, of course I got thrown out from the VPN connection I did to it, so now I am just praying that it will come back, since I have an hours drive otherwise to get to the office [Smile]

Thanks once again for the valuable info in this thread!

/Ronny

(in reply to tshinder)

Post #: 67

RE: Discussion about article on Network within Network ... - 16.Sep.2004 11:36:00 PM

arctica

Posts: 11
Joined: 22.Mar.2002
From: Sweden
Status: offline

Ok, so I have now removed all my static routes from RRAS and instead have them added with "route add -p" command.

Could someone just tell me what is the best and most correct procedure now, since I am a bit confused by all different opinions in this thread.

I simply have two NIC's on my ISA. One is for the the public ISP network (outside) and the other is to protect my inside network. So "my" LAN is 172.28.152.0/c but I have a lot of routers on this inside LAN that connects me to all sort of other LAN's, but we are all in one big domain tree and I do not want any limitations on any traffic between us.

Should I now add all this other internal subnets on the ADDRESSES tab on the network INTERNAL, or should I create all this other subnets that I route to as separate networks? Don't tell me the last part is the way to go, because then it will be an unrealistic workload to define them and add them as "allow everything for everything". I just can't understand why this should be needed when ISA2K was so simple to administer for this.

I love the ISA2004 for it's real-time monitoring and easy IPSEC tunnel setup, so I guess it's worth a couple of sleepless nights to get this setup to work.

/Ronny

(in reply to tshinder)

Post #: 68

RE: Discussion about article on Network within Network ... - 17.Sep.2004 4:51:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hey guys,

When I do it, it doesn't make a difference whether I do it in RRAS or command line.

HTH,
Tom

(in reply to tshinder)

Post #: 69

RE: Discussion about article on Network within Network ... - 17.Sep.2004 5:51:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Hi Tom,

Try this:

1. Uninstall ISA Server 2004, reboot
2. Re-enable RRAS and add all static routes from the RRAS interface (no route -p add commands)
3. Confirm that route print says Persistent routes: None
4. Start installing ISA Server 2004
5. When selecting the addresses for the Internal network, use the Add Adapter button and confirm that that internal network IDs are correct (it gets this from the "static" routes created in the RRAS console)
6. Finish ISA Server 2004 installation, reboot

When I followed this procedure (e.g. all static routes created via RRAS console) I got the error every time.

HTH,

Bill

(in reply to tshinder)

Post #: 70

RE: Discussion about article on Network within Network ... - 17.Sep.2004 7:04:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Ronny wrote:

quote:
Should I now add all this other internal subnets on the ADDRESSES tab on the network INTERNAL, or should I create all this other subnets that I route to as separate networks?

Hi Ronny,

Go with option #1 (add your trusted IP address ranges to the Internal Network object).

HTH,

Bill

(in reply to tshinder)

Post #: 71

RE: Discussion about article on Network within Network ... - 17.Sep.2004 11:12:00 PM

Kerry.Kriegel

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline

OK, I guess I'm not the only one confused by this ISA error -

ISA Server detected routes through adapter "Outside NIC (#1)" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: --- blah blah blah --- Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

All of my INTERNAL networks were in RAS prior to ISA install and they were all detected and placed in the INTERNAL network. Everything appears to be working correctly, except I have the error in my dashboard.

Are you saying that if I use the command line and do a "route add" instead of letting ISA read my RAS setup the error will go away?

(in reply to tshinder)

Post #: 72

RE: Discussion about article on Network within Network ... - 18.Sep.2004 12:03:00 AM

Kerry.Kriegel

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline

ALL RIGHT !

That is the answer. I have removed all of my static routes from RAS and used a bat file to set them each with a "route add -p " and the nasty configuration error has gone away.

I do not yet know why, but it seems as though ISA demands persistent routes ONLY. RAS static routes allow ISA to function correctly, but it creates the error.

(in reply to tshinder)

Post #: 73

RE: Discussion about article on Network within Network ... - 18.Sep.2004 2:50:00 PM

Fire

Posts: 265
Joined: 19.Mar.2001
From: Ontario, Canada
Status: offline

The Biggest confuse for ISA2004....

(in reply to tshinder)

Post #: 74

RE: Discussion about article on Network within Network ... - 18.Sep.2004 11:22:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hey guys,

If there is no existing RRAS config (and there should not be), then you can add the routes either via the command line or via the RRAS console and it works fine both ways.

HTH,
Tom

(in reply to tshinder)

Post #: 75

RE: Discussion about article on Network within Network ... - 19.Sep.2004 10:20:00 PM

AbqBill

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline

Hi Tom,

I was not able to get rid of the error unless I used route -p add on the command line. When I enabled RRAS and added the static routes before installing ISA Server 2004, I got the error every time.

HTH,

Bill

(in reply to tshinder)

Post #: 76

RE: Discussion about article on Network within Network ... - 20.Sep.2004 3:11:00 PM

Kerry.Kriegel

Posts: 30
Joined: 17.Sep.2004
From: Racine, Wisconsin
Status: offline

I have tried this with every possible combination and the only way to eliminate the error is to use the command line and make persistent routes.

Adding routes in RRAS before or after install of ISA will cause the error to appear in the dashboard every time.

(in reply to tshinder)

Post #: 77

RE: Discussion about article on Network within Network ... - 21.Sep.2004 11:26:00 AM

spazm

Posts: 20
Joined: 14.Jun.2003
From: Hawaii
Status: offline

after completing adding routes, must you then create access rules between (trusted) subnets, or will ISA automatically know that it is trusted and allow communications to flow? I'd like to test it oout, but i have a lack of equiptment.

thanks!

(in reply to tshinder)

Post #: 78

RE: Discussion about article on Network within Network ... - 21.Sep.2004 4:37:00 PM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Spazm,

All addresses behind the same adapter are part of the same ISA firewall Network. Since the ISA firewall doesn't mediate connections that take place between two hosts on the same network (why would it? Its like going driving from Los Angeles to San Francisco by loopping through NYC).

HTH,
Tom

(in reply to tshinder)

Post #: 79

RE: Discussion about article on Network within Network ... - 21.Sep.2004 6:55:00 PM